David J. Goldberg, MD, JD, is director of Skin Laser and Surgery Specialists of New York and New Jersey; past director of Mohs and Laser Research, Icahn School of Medicine at Mount Sinai in New York, New York; and adjunct professor of law at Fordham University School of Law in New York City.
Dr Corona has a large dermatology practice. He also regularly performs studies on new treatments for a variety of dermatoses. Because he has been doing this research for more than 10 years, he has accumulated both demographic and physical data on thousands of patients. All these data are stored in his Health Insurance Portability and Accountability Act (HIPAA)–compliant electronic medical record (EMR) system.
A pharmaceutical company that wants to work with him on COVID-19–related dermatoses contacts his research nurse and asks for a copy of all this electronic data since the pandemic started in March 2020, which would allow them to develop better treatments for unusual dermatoses. Trying to be helpful, the nurse gives them the data.
One of Corona’s other employees finds out about this transfer of data. She tells some friends, one of whom is a former research patient in Corona’s office, about what has occurred. This patient is furious about the disclosure of her medical data and hires an attorney, who reaches out to Corona. He tells Corona that he will sue him for a HIPAA violation unless Corona settles with his client for $100,000.
Should Corona settle this case and pay the $100,000?
EMR is clearly here to stay. Despite all the benefits, EMR use also has introduced a number of problems—most important, perhaps, potential privacy breaches associated with electronic record and data storage. As more personal information, such as school records, credit card information, and bank account data, goes online and is stored electronically, people seem to have become accustomed to accepting the associated risks, especially in view of the convenience and other benefits that these data offer.
Although breaches of other personal data are intrusive and potentially harmful, medical records contain possibly the most private and personal information and therefore are subject to unique privacy and security concerns. For example, a breach of a customer’s banking records might cause temporary inconveniences, but credit cards can easily be cancelled and bank accounts can quickly be frozen. Once private medical information is breached, however, it is nearly impossible to mitigate the potential harm.
In light of these concerns, Congress passed HIPAA more than 20 years ago. Under this act, the US Department of Health &Human Services (HHS) has the authority to adopt standards for HIPAA-specified entities to follow in protecting, using, and disclosing patients’ medical information and records. There are specific obligations of medical practices regarding the safe keeping and privacy of protected health information. The Privacy Rule defines protected health information as medical information that is “individually identifiable” as pertaining to a specific patient. Individually identifiable information includes health information that (1) is maintained in any form or medium; (2) relates to, identifies, or could identify the person that the health information concerns; and (3) is transmitted or maintained by a covered entity.
The Privacy Rule covers, for example, what a patient’s doctors, nurses, and other health care providers put in their medical record conversations a doctor has with nurses and others about a patient’s care or treatment; information about a patient from a health insurer’s computer system; billing information about a patient at his/her office; and most other health information about a patient that is held by covered entities.
If patients believe that their privacy was breached under HIPAA requirements, they have the right to file a complaint with their health care provider or health insurer or directly with the United States government. They cannot, however, sue covered entities that commit HIPAA privacy violations. Instead, HHS and the Department of Justice have enforcement authority for HIPAA privacy complaints. After receiving patient complaints, HHS may then investigate and initiate civil administrative proceedings, if warranted.
Notably, the penalties for breaches of the Privacy Rule are relatively light. If HHS investigates a complaint, the matter goes through full administrative proceedings, and violations are found, the violators may be assessed civil penalties of between $100 and $50,000 per violation.
Even if a violation is found, HHS has the authority to waive the civil penalty. However, HIPAA also contains a criminal liability provision that outlaws the knowing disclosure or acquisition of individually identifiable health information in violation of the statute and the Privacy Rule. In reality, the rule itself has gone largely unused since taking effect.
Corona’s nurse has committed a HIPAA violation. He should have a risk management team review HIPAA privacy rules with his staff, and he should discuss with his attorney how to settle the case.